From fca65347ccc6428d18865ac4e142a36cd5e414eb Mon Sep 17 00:00:00 2001 From: ezelbanaan <74717984+ezelbanaan@users.noreply.github.com> Date: Thu, 20 May 2021 16:08:16 +0200 Subject: [PATCH 01/12] Allows X-Content-Type-Options to be disabled This adds X-Content-Type-Options as a kwarg so it can be disabled. --- flask_talisman/talisman.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/flask_talisman/talisman.py b/flask_talisman/talisman.py index 2d55d13..401236a 100644 --- a/flask_talisman/talisman.py +++ b/flask_talisman/talisman.py @@ -76,7 +76,8 @@ def init_app( content_security_policy_nonce_in=None, referrer_policy=DEFAULT_REFERRER_POLICY, session_cookie_secure=True, - session_cookie_http_only=True): + session_cookie_http_only=True, + X_Content_Type_Options=True): """ Initialization. @@ -116,6 +117,7 @@ def init_app( session cookie. force_file_save: Prevents the user from opening a file download directly on >= IE 8 + X_Content_Type_Options: Prevents MIME type sniffing See README.rst for a detailed description of each option. """ @@ -165,6 +167,8 @@ def init_app( app.config['SESSION_COOKIE_HTTPONLY'] = True self.force_file_save = force_file_save + + self.X_Content_Type_Options = X_Content_Type_Options self.app = app @@ -285,7 +289,9 @@ def _set_frame_options_headers(self, headers, options): def _set_content_security_policy_headers(self, headers, options): headers['X-XSS-Protection'] = '1; mode=block' - headers['X-Content-Type-Options'] = 'nosniff' + + if self.X_Content_Type_Options: + headers['X-Content-Type-Options'] = 'nosniff' if self.force_file_save: headers['X-Download-Options'] = 'noopen' From d3ac51eb30a9d7d812de980fcd1cd30e66c91902 Mon Sep 17 00:00:00 2001 From: ezelbanaan <74717984+ezelbanaan@users.noreply.github.com> Date: Thu, 20 May 2021 16:32:06 +0200 Subject: [PATCH 02/12] X-Content-Type-Options added in options --- README.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.rst b/README.rst index d91027c..d4c85a2 100644 --- a/README.rst +++ b/README.rst @@ -113,6 +113,8 @@ Options `X-Download-Options `_ header to ``noopen`` to prevent IE >= 8 to from opening file downloads directly and only save them instead. +- ``X_Content_Type_Options``, default ``True``, Protects against MIME sniffing vulnerabilities. + Per-view options ~~~~~~~~~~~~~~~~ From 3382c251fc1e4933bbd0685b090206dfe948ed2f Mon Sep 17 00:00:00 2001 From: ezelbanaan <74717984+ezelbanaan@users.noreply.github.com> Date: Thu, 20 May 2021 17:27:23 +0200 Subject: [PATCH 03/12] Update README.rst --- README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.rst b/README.rst index d4c85a2..d18b258 100644 --- a/README.rst +++ b/README.rst @@ -113,7 +113,7 @@ Options `X-Download-Options `_ header to ``noopen`` to prevent IE >= 8 to from opening file downloads directly and only save them instead. -- ``X_Content_Type_Options``, default ``True``, Protects against MIME sniffing vulnerabilities. +- ``x_content_type_options``, default ``True``, Protects against MIME sniffing vulnerabilities. Per-view options From 692edba9fcb6825414e40b5535c298917bf5ffe3 Mon Sep 17 00:00:00 2001 From: ezelbanaan <74717984+ezelbanaan@users.noreply.github.com> Date: Thu, 20 May 2021 17:29:10 +0200 Subject: [PATCH 04/12] Update talisman.py --- flask_talisman/talisman.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flask_talisman/talisman.py b/flask_talisman/talisman.py index 401236a..aa1a89b 100644 --- a/flask_talisman/talisman.py +++ b/flask_talisman/talisman.py @@ -77,7 +77,7 @@ def init_app( referrer_policy=DEFAULT_REFERRER_POLICY, session_cookie_secure=True, session_cookie_http_only=True, - X_Content_Type_Options=True): + x_content_type_options=True): """ Initialization. @@ -117,7 +117,7 @@ def init_app( session cookie. force_file_save: Prevents the user from opening a file download directly on >= IE 8 - X_Content_Type_Options: Prevents MIME type sniffing + x_content_type_options: Prevents MIME type sniffing See README.rst for a detailed description of each option. """ @@ -168,7 +168,7 @@ def init_app( self.force_file_save = force_file_save - self.X_Content_Type_Options = X_Content_Type_Options + self.x_content_type_options = x_content_type_options self.app = app @@ -290,7 +290,7 @@ def _set_frame_options_headers(self, headers, options): def _set_content_security_policy_headers(self, headers, options): headers['X-XSS-Protection'] = '1; mode=block' - if self.X_Content_Type_Options: + if self.x_content_type_options: headers['X-Content-Type-Options'] = 'nosniff' if self.force_file_save: From aa13c1e584a322a9b0a7f229de23c7a5c54f4d8f Mon Sep 17 00:00:00 2001 From: Bastiaan <74717984+ezelbanaan@users.noreply.github.com> Date: Fri, 21 May 2021 12:04:20 +0200 Subject: [PATCH 05/12] Fixed 2 whitespace error's --- flask_talisman/talisman.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/flask_talisman/talisman.py b/flask_talisman/talisman.py index aa1a89b..a5a3a30 100644 --- a/flask_talisman/talisman.py +++ b/flask_talisman/talisman.py @@ -167,7 +167,7 @@ def init_app( app.config['SESSION_COOKIE_HTTPONLY'] = True self.force_file_save = force_file_save - + self.x_content_type_options = x_content_type_options self.app = app @@ -289,7 +289,7 @@ def _set_frame_options_headers(self, headers, options): def _set_content_security_policy_headers(self, headers, options): headers['X-XSS-Protection'] = '1; mode=block' - + if self.x_content_type_options: headers['X-Content-Type-Options'] = 'nosniff' From da913c359e93de0a923d0f39478fed4bf219f8fc Mon Sep 17 00:00:00 2001 From: Bastiaan <74717984+ezelbanaan@users.noreply.github.com> Date: Fri, 21 May 2021 13:21:58 +0200 Subject: [PATCH 06/12] Added the option for X-XSS-Protection to be disabled --- flask_talisman/talisman.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/flask_talisman/talisman.py b/flask_talisman/talisman.py index a5a3a30..18646dd 100644 --- a/flask_talisman/talisman.py +++ b/flask_talisman/talisman.py @@ -77,7 +77,8 @@ def init_app( referrer_policy=DEFAULT_REFERRER_POLICY, session_cookie_secure=True, session_cookie_http_only=True, - x_content_type_options=True): + x_content_type_options=True, + x_xss_protection=True): """ Initialization. @@ -118,6 +119,8 @@ def init_app( force_file_save: Prevents the user from opening a file download directly on >= IE 8 x_content_type_options: Prevents MIME type sniffing + x_xss_protection: Prevents the page from loading when the browser + detects reflected cross-site scripting attacks See README.rst for a detailed description of each option. """ @@ -170,6 +173,8 @@ def init_app( self.x_content_type_options = x_content_type_options + self.x_xss_protection = x_xss_protection + self.app = app app.before_request(self._force_https) @@ -288,7 +293,8 @@ def _set_frame_options_headers(self, headers, options): options['frame_options_allow_from']) def _set_content_security_policy_headers(self, headers, options): - headers['X-XSS-Protection'] = '1; mode=block' + if self.x_xxs_protection: + headers['X-XSS-Protection'] = '1; mode=block' if self.x_content_type_options: headers['X-Content-Type-Options'] = 'nosniff' From fee7c2e30c3a69c668dff401bff354ebf72f0136 Mon Sep 17 00:00:00 2001 From: Bastiaan <74717984+ezelbanaan@users.noreply.github.com> Date: Fri, 21 May 2021 13:23:49 +0200 Subject: [PATCH 07/12] Update README.rst Added the x_xss_protection option --- README.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/README.rst b/README.rst index d18b258..ea99e02 100644 --- a/README.rst +++ b/README.rst @@ -114,6 +114,7 @@ Options header to ``noopen`` to prevent IE >= 8 to from opening file downloads directly and only save them instead. - ``x_content_type_options``, default ``True``, Protects against MIME sniffing vulnerabilities. +- ``x_xss_protection``, default ``True``, Protects against cross-site scripting (XSS) attacks. Per-view options From e23c150d71552b188d4c74976d8923b8f3dd18fa Mon Sep 17 00:00:00 2001 From: Bastiaan <74717984+ezelbanaan@users.noreply.github.com> Date: Fri, 21 May 2021 13:36:52 +0200 Subject: [PATCH 08/12] Update talisman_test.py Adds tests for the X-XSS-Protection option and the X-Content-Type-Options. --- flask_talisman/talisman_test.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/flask_talisman/talisman_test.py b/flask_talisman/talisman_test.py index 8c75fc4..72e9a9e 100644 --- a/flask_talisman/talisman_test.py +++ b/flask_talisman/talisman_test.py @@ -165,6 +165,18 @@ def testContentSecurityPolicyOptions(self): response.headers['Content-Security-Policy'] ) + # x-content-type-options disabled + app = flask.Flask(__name__) + Talisman(app, x_content_type_options=False) + response = app.test_client().get('/', environ_overrides=HTTPS_ENVIRON) + self.assertNotIn('X-Content-Type-Options', response.headers) + + # x-xss-protection disabled + app = flask.Flask(__name__) + Talisman(app, x_xss_protection=False) + response = app.test_client().get('/', environ_overrides=HTTPS_ENVIRON) + self.assertNotIn('X-XSS-Protection', response.headers) + def testContentSecurityPolicyOptionsReport(self): # report-only policy self.talisman.content_security_policy_report_only = True From bc73c6fd50e0107ce261f6e37a7ec23240895435 Mon Sep 17 00:00:00 2001 From: Bastiaan <74717984+ezelbanaan@users.noreply.github.com> Date: Fri, 21 May 2021 13:38:19 +0200 Subject: [PATCH 09/12] Update talisman.py Fixed a typo --- flask_talisman/talisman.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flask_talisman/talisman.py b/flask_talisman/talisman.py index 18646dd..20e3d2a 100644 --- a/flask_talisman/talisman.py +++ b/flask_talisman/talisman.py @@ -293,7 +293,7 @@ def _set_frame_options_headers(self, headers, options): options['frame_options_allow_from']) def _set_content_security_policy_headers(self, headers, options): - if self.x_xxs_protection: + if self.x_xss_protection: headers['X-XSS-Protection'] = '1; mode=block' if self.x_content_type_options: From 04265af7c590d93d7a54002bd876aa977b9f0278 Mon Sep 17 00:00:00 2001 From: Bastiaan <74717984+ezelbanaan@users.noreply.github.com> Date: Fri, 21 May 2021 15:03:21 +0200 Subject: [PATCH 10/12] Removed python 3.4 See https://github.com/GoogleCloudPlatform/flask-talisman/pull/75#issuecomment-845912880 --- .travis.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index d5e3ca1..c5e0892 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,8 +7,6 @@ matrix: env: NOXSESSION=lint - python: 3.6 env: NOXSESSION=tests-2.7 - - python: 3.4 - env: NOXSESSION=tests-3.4 - python: 3.5 env: NOXSESSION=tests-3.5 - python: 3.6 From 9268388195ac6389ef91fcc01f7238eb44467214 Mon Sep 17 00:00:00 2001 From: Bastiaan <74717984+ezelbanaan@users.noreply.github.com> Date: Fri, 21 May 2021 15:04:01 +0200 Subject: [PATCH 11/12] Removed python version 3.4 See https://github.com/GoogleCloudPlatform/flask-talisman/pull/75#issuecomment-845912880 --- noxfile.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/noxfile.py b/noxfile.py index ab866a9..68fd9a7 100644 --- a/noxfile.py +++ b/noxfile.py @@ -12,7 +12,7 @@ def lint(session): session.run('flake8', '--import-order-style=google', 'flask_talisman') -@nox.session(python=['2.7', '3.4', '3.5', '3.6']) +@nox.session(python=['2.7', '3.5', '3.6']) def tests(session): """Run the test suite""" session.install('flask', 'mock', 'pytest', 'pytest-cov') From ce3e8f86d05346ac5cbe71ba9821d9121a4cb910 Mon Sep 17 00:00:00 2001 From: Bastiaan <74717984+ezelbanaan@users.noreply.github.com> Date: Fri, 21 May 2021 15:04:35 +0200 Subject: [PATCH 12/12] Removed python 3.4 See https://github.com/GoogleCloudPlatform/flask-talisman/pull/75#issuecomment-845912880 --- setup.py | 1 - 1 file changed, 1 deletion(-) diff --git a/setup.py b/setup.py index 2c5c028..dbd0974 100644 --- a/setup.py +++ b/setup.py @@ -47,7 +47,6 @@ 'Programming Language :: Python :: 2', 'Programming Language :: Python :: 3', 'Programming Language :: Python :: 2.7', - 'Programming Language :: Python :: 3.4', 'Programming Language :: Python :: 3.5', 'Programming Language :: Python :: 3.6',